The most important point about the new NY Shield act is any business that holds private information of a New York resident – regardless of whether that organization does business in New York – is required to comply and fines can be hundreds of thousands of dollars.
The act goes partially into effect in less than two months. On October 23, 2019 changes take place to New York’s data breach notification statute, to provide updated definitions and additional coverage.
New data security protections are effective on March 21, 2020.
SHIELD stands for Stop Hacks and Improve Electronic Data Security Act and was inspired by government and legal action against Equifax which ultimately cost the company billions of dollars.
It is important to note the definition of private information is changing
New York’s original data breach notification law included definitions for both “personal information” and “private information.” The current definition of “personal data” remains unchanged, and will continue to be “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”
The SHIELD Act amends the definition of “private information” to include three new types of personal information that are covered by the law:
A) Account number, credit or debit card number, even without additional identifying information or a password
B) Biometric information, such as an individual’s fingerprint, voice print, or retina image
C) User name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
Data Breach has a new definition as well
Breach was defined as the unauthorized acquisition of personal information but will now have occurred if there was the acquisition of, or access to, private information.
When evaluating whether access occurred, the Act provides that a business may consider “indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.”
Similar to GDPR, the SHIELD Act now has global implications
The old New York data breach law applied to any “person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information…” The Act has removed the “conducts business in New York state” requirement. Now, regardless of whether the person or business is conducting business in New York, the SHIELD Act applies to those who possess private information for a New York resident.
This is similar to the EU’s GDPR regulation.
There are new data breach notification requirements
The Act now provides that notice to affected persons is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines that such exposure will not likely result in misuse of such information or cause financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials. If this exception applies, the person or business must document the determination and maintain the documentation for at least five years. If the incident affects more than five hundred New York residents, the written determination must be provided to the New York Attorney General within ten days after the determination.
For those business who are required to comply with data breach requirements under laws such as Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or the Gramm-Leach-Bliley Act, additional notifications are not required to be issued to impacted New York residents. However, these businesses are required to notify the New York Attorney General, the New York Department of State, and the New York Division of State Police.
The SHIELD Act also requires that breach notifications include the telephone numbers and websites of the relevant New York State and federal agencies that provide information regarding security breach response and identity theft prevention and protection information.
Data Security Protections
In an effort to reduce the likelihood of data breaches, the SHIELD Act creates new “Data Breach Security Protections.” All persons or business that own or license computerized data that includes private information for a New York resident will now be required to comply with a “reasonable security requirement,” meaning that they will need to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data.” The reasonable safeguards require any applicable person or business (i) to be in compliance with laws such as HIPAA or the Gramm-Leach-Bliley Act or (ii) to implement a data security program that includes the following:
Reasonable administrative safeguards such as the following, in which the person or business:
(1) Designates one or more employees to coordinate the security program;
(2) Identifies reasonably foreseeable internal and external risks;
(3) Assesses the sufficiency of safeguards in place to control the identified risks;
(4) Trains and manages employees in the security program practices and procedures;
(5) Selects service providers capable of maintaining appropriate safe-guards, and requires those safeguards by contract; and
(6) Adjusts the security program in light of business changes or new circumstances; and
Reasonable technical safeguards such as the following, in which the person or business:
(1) Assesses risks in network and software design;
(2) Assesses risks in information processing, transmission and storage;
(3) Detects, prevents and responds to attacks or system failures; and
(4) Regularly tests and monitors the effectiveness of key controls, systems and procedures; and
Reasonable physical safeguards such as the following, in which the person or business:
(1) Assesses risks of information storage and disposal;
(2) Detects, prevents and responds to intrusions;
(3) Protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
(4) Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
While small businesses are subject to the reasonable security requirement, the SHIELD Act provides that these safeguards may be “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” The Act considers a small business to be one that has less than fifty employees; less than $3 million in gross annual revenue in each of the last three fiscal years; or less than $5 million in year-end total assets.
Reckless violations can cause a fine of up to $250,000.
The per-record beach fine is $20 and is capped at 12,500 records.
How to stay safe:
1) Determine if you are in possession of private information for New York residents, even if you are not conducting business in New York. This may be the opportunity to assess whether you need to retain this information for ongoing business purposes.
2) Ensure that you have administrative, technical, and physical safeguards in place that comply with the requirements of the SHIELD Act.
3) Develop, or revisit, internal policies for how the company will identify and respond to a data breach. Ensure that your employees understand the policies and that they are properly implemented.
4) This is a good time to re-evaluate corporate cybersecurity – new attacks are launched constantly against organizations. We reported earlier today that a new IRS scam warning has been disseminated by the IRS – warning people to be careful not to click on emails from the organization as they are likely malicious messages disguised to look like they emanated from the agency.
5) Read cybersecurity essentials – a simple list which will help most organizations become far more secure.
6) Go to a phishing simulation vendor now and sign up for one of their offerings. Phishing Box, KnowBe4 and Phish360; are all great.
7) We also recommend you get a free evaluation of your cybersecurity risk from an MSP/MSSP immediately – they can also help you build in the needed compliance to reduce the risk of being fined.